Apache Log4j Unsupported Version Detection

critical Nessus Plugin ID 156032


A logging library running on the remote host is no longer supported.


According to its self-reported version number, the installation of Apache Log4j on the remote host is no longer supported. Log4j reached its end of life prior to 2016.

Lack of support implies that no new security patches for the product will be released by the vendor. As a result, it is likely to contain security vulnerabilities.


Upgrade to a version of Apache Log4j that is currently supported.

Upgrading to the latest versions for Apache Log4j is highly recommended as intermediate versions / patches have known high severity vulnerabilities and the vendor is updating their advisories often as new research and knowledge about the impact of Log4j is discovered. Refer to https://logging.apache.org/log4j/2.x/security.html for the latest versions.

See Also


Plugin Details

Severity: Critical

ID: 156032

File Name: apache_log4j_unsupported.nasl

Version: 1.4

Type: local

Agent: windows, macosx, unix

Family: Misc.

Published: 12/13/2021

Updated: 5/18/2022

Configuration: Enable thorough checks

Supported Sensors: Nessus Agent

Risk Information

CVSS Score Rationale: Tenable score for unsupported software.


Risk Factor: Critical

Base Score: 10

Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: manual


Risk Factor: Critical

Base Score: 10

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Vulnerability Information

CPE: cpe:/a:apache:log4j

Required KB Items: installed_sw/Apache Log4j

Reference Information

IAVA: 0001-A-0650